Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Set MYSQL_ROOT_PASSWORD via Secret #253

Merged

Conversation

lkpdn
Copy link
Contributor

@lkpdn lkpdn commented Nov 20, 2018

For security reasons, we better to (a). factor out hard-coded mysql root password and use Secret instead + (b). set dynamically generated random password.


This change is Reviewable

Signed-off-by: Koichiro Den <den@valinux.co.jp>
@googlebot
Copy link

Thanks for your pull request. It looks like this may be your first contribution to a Google open source project (if not, look below for help). Before we can look at your pull request, you'll need to sign a Contributor License Agreement (CLA).

📝 Please visit https://cla.developers.google.com/ to sign.

Once you've signed (or fixed any issues), please reply here (e.g. I signed it!) and we'll verify it.


What to do if you already signed the CLA

Individual signers
Corporate signers

@k8s-ci-robot
Copy link

Hi @lkpdn. Thanks for your PR.

I'm waiting for a kubeflow member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.


# Generate Secret with dynamically initialized data, so as to keep Go codebase
# simple as possible i.e., without client-go ClientSet.
cat <<EOF | kubectl create -f -
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please create a db-secret.yml not generating a key in deploy.sh.
The deploy.sh should be a simple support script.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for the comment. If we still keep the password randomised as my original patch does, I may choose either of:

  • (1). make it as a go template, add a lightweight cli tool to do template.Execute()
  • (2). choose a popular template engine, such as jinja2

Does the option (1) sound ok to you? If I misunderstood your point, please correct me.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Do we really need to randomize?
Why not to make secret manifest and set a default password. Then users will edit it when they need.

Copy link
Contributor Author

@lkpdn lkpdn Nov 20, 2018

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

To be honest, I don't have any strong intention for randomization. I'll remove randomisation then push a commit tomorrow. The PR diff should be very simple and small one. Thanks. :)

@lkpdn lkpdn changed the title Set randomly generated MYSQL_ROOT_PASSWORD via Secret Set MYSQL_ROOT_PASSWORD via Secret Nov 20, 2018
@lkpdn
Copy link
Contributor Author

lkpdn commented Nov 20, 2018

To googlebot, abt. CLA:
I signed it!

@googlebot
Copy link

CLAs look good, thanks!

Signed-off-by: Koichiro Den <den@valinux.co.jp>
@lkpdn
Copy link
Contributor Author

lkpdn commented Nov 20, 2018

@YujiOshima please take another look.

@YujiOshima
Copy link
Contributor

@lkpdn Thank you! It gets simple!
/ok-to-test

name: vizier-db-secrets
namespace: katib
data:
MYSQL_ROOT_PASSWORD: test
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think we should take a "secure by default" approach and the value should be randomized, while its implementation can be a bit messy. Also it has to be initialized before the mysql pod starts up.
At least there should be an issue so that we don't forget to randomize before GA. ;-)

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

IMHO editing manifest for the secret before running deploy.sh seems not much burden.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

To do that, users must be aware of the secret.yaml file. Randomization must happen automatically or the majority of deployments would be in an insecure state.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I agree with your point "secure by default". How about dynamically generating manifests when executing ./scripts/build.sh, or introduce a new script, e.g. ./scripts/generate-manifests.sh? Other projects tend to have users do that sort of thing, such as $ make manifests. I think it's much better than doing it in ./scripts/deploy.sh

@lkpdn
Copy link
Contributor Author

lkpdn commented Nov 22, 2018

I'm just guessing but the test failure seems not relating to this PR. Looking into it...

@YujiOshima
Copy link
Contributor

/retest

@lkpdn
Copy link
Contributor Author

lkpdn commented Nov 22, 2018

I realized that sed -i -e "31,37d" manifests/vizier/db/deployment.yaml in test/scripts/run-tests.sh had to be updated as well. I pushed a fix f1ed1c1 b533db5. Please let me know if these should be fixed-up.

Fixes: 5312459 ("Set randomly generated MYSQL_ROOT_PASSWORD via Secret")

Signed-off-by: Koichiro Den <den@valinux.co.jp>
@lkpdn lkpdn force-pushed the set-mysql-root-password-using-secret branch from f1ed1c1 to b533db5 Compare November 22, 2018 05:14
@YujiOshima
Copy link
Contributor

Great! Thank you!
/lgtm
/approve

@k8s-ci-robot
Copy link

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: YujiOshima

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@k8s-ci-robot k8s-ci-robot merged commit 67e94c7 into kubeflow:master Nov 22, 2018
@lkpdn
Copy link
Contributor Author

lkpdn commented Nov 22, 2018

Thanks for reviewing.

@lkpdn lkpdn deleted the set-mysql-root-password-using-secret branch November 22, 2018 06:32
lkpdn pushed a commit to lkpdn/katib that referenced this pull request Nov 26, 2018
Commit b6f8e07 ("Update manifests (kubeflow#246)") has just changed the
namespace as a whole. This new manifest should be updated as well.

Fixes: 67e94c7 ("Set MYSQL_ROOT_PASSWORD via Secret (kubeflow#253)")
Signed-off-by: Koichiro Den <den@valinux.co.jp>
lkpdn pushed a commit to lkpdn/katib that referenced this pull request Nov 26, 2018
Fixes: 67e94c7 ("Set MYSQL_ROOT_PASSWORD via Secret (kubeflow#253)")
Signed-off-by: Koichiro Den <den@valinux.co.jp>
k8s-ci-robot pushed a commit that referenced this pull request Nov 26, 2018
Commit b6f8e07 ("Update manifests (#246)") has just changed the
namespace as a whole. This new manifest should be updated as well.

Fixes: 67e94c7 ("Set MYSQL_ROOT_PASSWORD via Secret (#253)")
Signed-off-by: Koichiro Den <den@valinux.co.jp>
lkpdn pushed a commit to lkpdn/katib that referenced this pull request Nov 26, 2018
Fixes: 67e94c7 ("Set MYSQL_ROOT_PASSWORD via Secret (kubeflow#253)")
Signed-off-by: Koichiro Den <den@valinux.co.jp>
k8s-ci-robot pushed a commit that referenced this pull request Nov 30, 2018
* Add readinessProbe for vizier-db

Signed-off-by: Koichiro Den <den@valinux.co.jp>

* Fix MYSQL_ROOT_PASSWORD

Fixes: 67e94c7 ("Set MYSQL_ROOT_PASSWORD via Secret (#253)")
Signed-off-by: Koichiro Den <den@valinux.co.jp>

* Add simple loop to wait for DB connection successfully opened

Signed-off-by: Koichiro Den <den@valinux.co.jp>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

5 participants